[Freeipa-users] best practices for subdomains

Petr Spacek pspacek at redhat.com
Tue Mar 4 09:30:16 UTC 2014 

On 3.3.2014 22:57, Brendan Kearney wrote:
> On Mon, 2014-03-03 at 09:33 +0100, Petr Spacek wrote:
>> On 1.3.2014 23:20, Brendan Kearney wrote:
>>> i am using bind-dyndb-ldap outside of freeipa, and want to create
>>> _tcp.my-domain.com and _udp.my-domain.com subdomains.  i have tried, but
>>> seem to come up short and nslookup fails for the records i try to create
>>> in the subdomains.  some googling and searching in the wiki have not
>>> provided me with much go on.  below is an attempt at _tcp.my-domain.com
>>>
>>> dn: idnsName=_tcp.my-domain.com.,cn=dns,dc=my-domain,dc=com
>>> dnsttl: 3600
>>> idnsallowdynupdate: FALSE
>>> idnsallowsyncptr: FALSE
>>> idnsname: _tcp.my-domain.com.
>>> idnssoaexpire: 604800
>>> idnssoaminimum: 86400
>>> idnssoamname: server.my-domain.com.
>>> idnssoarefresh: 10800
>>> idnssoaretry: 900
>>> idnssoarname: root.server.my-domain.com.
>>> idnssoaserial: 1
>>> idnsupdatepolicy: grant MY-DOMAIN.COM krb5-self * A;
>>> idnszoneactive: TRUE
>>> nsrecord: server.my-domain.com.
>>> objectclass: top
>>> objectclass: idnsZone
>>> objectclass: idnsRecord
>>>
>>> what is the correct way to create a subdomain?
>>
>> First of all, do you really want to create *subdomains* for _tcp and _udp or
>> do you just need to create couple records like _ldap._tcp in a existing
>> domain? It is very unusual to create separate subdomains for _tcp and _udp.
>>
>> I'm attaching small snippet which shows how to add _ldap._tcp SRV record to
>> existing domain ipa.example.
>>
>> Please be so kind and send us information mentioned on
>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting#a3.Whatweneedtoknow
>>
>> We would like to know how users use bind-dyndb-ldap, which LDAP server is used
>> outside FreeIPA and so on.
>>
>> Have a nice day!
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> What distribution you use? Fedora
> Which distribution version you use? Fedora 20, with latest updates
> Which architecture you use? x86_64 on a qemu VM
>
> What plugin version you use? bind-dyndb-ldap-3.5-1.fc20.x86_64
> Do you use bind-dyndb-ldap as part of ​FreeIPA installation? no, using
> openldap-servers-2.4.39-2.fc20.x86_64
> Which version of ​BIND you use? bind-9.9.4-11.P2.fc20.x86_64
>
> Please provide dynamic-db section from configuration
> file /etc/named.conf
> dynamic-db "my-domain.com" {
>         	library "ldap.so";
>          arg "uri ldap://127.0.0.1/";
>         	arg "base cn=dns,dc=my-domain,dc=com";
>          arg "auth_method simple";
> 	arg "bind_dn cn=Manager,dc=my-domain,dc=com";
> 	arg "password *****";
> 	arg "psearch no";
> 	// arg "serial_autoincrement yes";
> 	arg "sync_ptr yes";
> 	arg "dyn_update yes";
> 	arg "connections 2";
>          arg "cache_ttl 300";
> 	arg "verbose_checks yes";
> };
>
> Do you have some other text based or ​DLZ zones configured? no
> Do you have some global forwarders configured in BIND configuration
> file? no
>
> Do you have some settings in global configuration object in LDAP?
> dn: cn=dns,dc=my-domain,dc=com
> cn: dns
> idnspersistentsearch: FALSE
> idnszonerefresh: 30
> objectclass: top
> objectclass: nsContainer
> objectclass: idnsConfigObject
>
> without a doubt i want to use subdomains (or subzones, if that the
> correct term) for _tcp and _udp.  kerberos, kerberos-adm,
> kerberos-master, kpasswd, ldap, nfs4, wpad and ntp are the SRV records i
> want to manage, and having them in the regular forward zone  is not as
> clean, neat and organized as i want to be.  also, i may want to have
> forward subdomains (sub.my-domain.com, for example, with
> testhost.sub.my-domain.com as an A record).

Please see attached LDIFs.

_udp.example.com.ldif adds new zone _udp.example.com and one SRV records into it.

example.com.ldif adds *required* delegation from parent zone example.com to 
_udp.example.com.

Please do not forget that NS records have to be valid (i.e. have to point to 
an existing A/AAAA records) so edit them as appropriate.

Delegation via NS records from parent zone is *required* by DNS standards, 
never omit them. (It could work for a while without them but things will fail 
as soon as you try to debug something, direct client to use more than 1 DNS 
server etc.)

Note that you have to create a separate zone *and required delegation* for 
each separate sub-tree, i.e. even for _kerberos name in example.com etc.

I have warned you :-) Have a nice day!

-- 
Petr^2 Spacek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: example.com.ldif
Type: text/x-ldif
Size: 746 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140304/24f19196/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: _udp.example.com.ldif
Type: text/x-ldif
Size: 781 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140304/24f19196/attachment-0001.bin>

More information about the Freeipa-users mailing list